S3

Our S3 Bucket is kbsoftware

Our tree structure is:

kbsoftware/contacts/<client site name e.g. hatherleigh_info>/<client folders>

e.g:

kbsoftware/contacts/hatherleighcommunitycentre_couk/calendar/

Add a new Client to S3

Create a new folder in S3 e.g:

kbsoftware/contacts/hatherleigh_info

Create (or find) an IAM user, Services, IAM, Users, Summary, Security credentials.

Tip

The user name should match the name of the web site for the client…

Un check the Generate an access key for each user box and click Create (10/01/2020, I cannot see this on the control panel).

Open the newly created user and click the Groups tab. Add the user to the contacts group.

Under Manage Password give them a defined password and record it along with their user name (10/01/2020, I cannot see this on the control panel).

Click Create Access Key and download the credentials.csv file to the relevant folder in the Private folder.

Tip

We have used Cyberduck CLI to upload files to S3. For detailed information, see our Private client notes (search for calendar.rst).

Apply a Bucket Policy

These policies appear to apply to all users.

Click Add or Edit Bucket Policy from:

https://console.aws.amazon.com/s3/home?region=eu-west-1

To allow Public Read Only access to all folders:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::kbsoftware/*"
        }
    ]
}

Apply a User, Group or Role Policy

Click Create Policy in:

https://console.aws.amazon.com/iam/home?region=eu-west-1#policies

Select Create Your Own Policy and enter a Policy Name and the code

To allow access to User folders by only specific User:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGroupToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowRootAndHomeListingOfCompanyBucket",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::kbsoftware"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "",
                        "contacts/"
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::kbsoftware"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "contacts/${aws:username}/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAllS3ActionsInUserFolder",
            "Action": [
                "s3:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::kbsoftware/contacts/${aws:username}/*"
            ]
        }
    ]
}